FEMA relies on IT roadmap to tackle software security issues
It is essential to establish security requirements early in the software development lifecycle.
Trust between software development and security teams is one of the top challenges facing the Federal Emergency Management Agency (FEMA) as the agency modernizes cloud applications and services through the lifecycle software development (SDLC).
FEMA CISO Dr. Gregory Edwards believes that there should be security requirements as well as functional and operational requirements in place at the start of the SDLC. Sometimes the SLDC starts with no security standards built into the development process, which slows down the entire cycle.
“It’s a trust factor,” Edwards said at ATARC’s Fostering Effective DevSecOps event. “Programs have timelines and milestones and sometimes it’s quite difficult to get the safety tests that are needed for those milestones right, but it’s essential. So what we’re seeing is we’re getting to a point where the software has been developed and it’s been tested but without any security oversight.
Sometimes that means removing the software and starting over with the right security requirements.
Although collaborative sessions with the help of industry, Edwards said FEMA IT officials have developed an IT roadmap to monitor cyber risks and threats and ensure software development meets standards. of security.
FEMA’s IT Modernization Fund also fuels the agency’s efforts to implement the IT Roadmap.
“We have our plan for the next four to five years based on what we’ve seen this year from research,” Edwards said. “We identify these tools, techniques, capabilities and services through a roadmap that we plan to fully implement, knowing that some will mature, others will not. But we also have prototypes in place, testing this capability along the way and if it proves successful, of course we will continue.
Lack of communication around security needs has been another major roadblock for FEMA, especially during the COVID-19 pandemic.
After reviewing the agency’s internal telecommuting policy, FEMA IT managers realized they needed to scale some telecommuting capabilities, such as improving employees’ ability to print from home. Home printing was a challenge initially, as FEMA needed to know the assets of households connecting to the FEMA Network and their security risk profiles.
“We had to change our mindset a bit, in that the mindset is that you have to know what it is before you can secure it or control it,” Edwards said. “We’ve worked very, very hard to get access to all the assets to know they’re there, and then we’ve had all these security checks that we put in place to be able to monitor and make sure they’re locked down. “
Another security challenge for FEMA is staying on top of fluctuating compliance regulations.
FEMA currently operates over 100 programs through the SDLC that are in various stages of compliance.
“We’re chasing the numbers, but ultimately we’re not going to achieve 100% compliance. Federal regulations change and it’s not worth trying to resist them, so we embrace them and put action plans and milestones in place,” Edwards said.
FEMA relies on the age-old vulnerability management system to help them gauge where they stand in terms of security and extraction metrics.
“We’re also interested in seeing how we can take advantage of these and further automate these processes and get more rich insights to better manage the overall environment,” Edwards said.
Edwards also believes that all federal agencies should retain the concept of “security by design” as a guiding principle for software development.
“We have to find a way – as apps are developed and you earn contracts and efforts with our developers – [to] really work together to start at the beginning on the [security] the requirements are ending and don’t let us force you into an unrealistic timeline that doesn’t include security,” Edwards said. “It sets us all up for a bad ending.”